Credit card companies should know all about phishing, right? McCann should know all about marketing, right? Combine the two in Serbia and you will get a marketing campaign that just went viral, although for the wrong reasons.
Mastercard Serbia organised a prize contest “Always with you” that asks female customers to share contents of their purse on Facebook. If you read the text carefully, it is not required to photo your card. However, the example photo clearly shows the credit card details of a fictive customer:
Lured by prizes, many customers posted photos of their private stuff. And some copied Mastercard promo — their credit card, with full details, is visible in the photo:
This is the first phishing campaign that I know that was organised by credit company itself!
The funny thing that is that nobody in Mastercard, McCann agency or legal team noticed the problem. There is a lengthy legal document explaining the conditions of the prize contest:
That document is signed by Mastercard Europe SA and McCann Ltd Belgrade, so it seems it has passed multiple levels of corporate approval. And Mastercard didn’t seem to notice the problem until six days later when a serbian security blogger wrote about it.
In my modest opinion, the lesson of this story is to be careful how you hire. I am biased because I run an employee assessment company, but smiling people with lovely résumés can still be bozos. And when you have incompetent people in the company, it doesn’t matter what formal company procedures you have in place.
P.S. As user edent from HN noticed, photo sharing of credit cards is nothing uncommon for Twitter: https://twitter.com/needadebitcard
P.P.S. As of today (May 18), entire “Always with you” campaign is deleted from Facebook.
McCain -> McCann for the first mention/link
My typo, thanks for noticing.
Pingback: MasterCard Serbia | Carte di credito | Concorso su Facebook | Sicurezza online
Pingback: MasterCard Serbia asked ladies to share FB photos of their credit card | ExtendTree
Double negative on the noticing…
My error, thanks for noticing.
The advertising/PR agency is McCann Erickson, not McCain.
Either way as far as I can tell with Google Translate the campaign doesn’t explicitly require people to show the sensitive data from the cards (the number could be covered by something leaving just the name to prove ownership).
So I think this is not a legal issue, more of a stupid image blunder of the year for the companies involved and possibly an expensive lesson for the people who don’t understand the implications of sharing such sensitive data on the web.
True, showing a credit card was not a requirement, some people just copied the photo. I have updated the text to reflect that.
“Priceless” comes to mind.
Pingback: This Week’s [in]Security – Issue 8 - Control Gap | Control Gap
showing a credit card was a requirement, translation of post in Serbian
“Which things are ALWAYS with you, in your bag?
If you own Mastercard or Maestro, take a picture and share with us content of your bag in comments under this post. We have sweet surprises for 30 of most interesting shares”
The communication of the requirements just wasn’t good, you can easely missunderstand it, as many people including you did. It does not state, that you should take a photo of your mastercard. I guess meant was, that if you own one, take a picture of the things you always have with youn. So the requirement was to have a mastercard, but not to include it in the picture.